From 56a01e1e64fbf7de40a568173aa6546744de3c7e Mon Sep 17 00:00:00 2001
From: slawkens1 <slawkens@gmail.com>
Date: Sun, 12 Nov 2017 21:55:12 +0100
Subject: [PATCH] * fixed account email confirm function

* log some error info when mail cannot be send on account create
* fixed some weird include possibilities with forum and account actions
(verify action name)
* twig getLink function will now return with full url (BASE_URL
included)
* fixed some changelog PHP Notice warning
* (internal) shortened message functions
---
 index.php                              |  6 ++----
 system/functions.php                   | 24 ++++++++++++-----------
 system/init.php                        |  6 +-----
 system/pages/account.php               | 14 +++----------
 system/pages/account/confirm_email.php | 27 ++++++++++++++++++++++++++
 system/pages/accountmanagement.php     | 20 ++++++++++++++++---
 system/pages/changelog.php             |  1 +
 system/pages/createaccount.php         |  7 ++++---
 system/pages/forum.php                 |  9 +++++++--
 9 files changed, 75 insertions(+), 39 deletions(-)
 create mode 100644 system/pages/account/confirm_email.php

diff --git a/index.php b/index.php
index a91234a5..8443c651 100644
--- a/index.php
+++ b/index.php
@@ -89,6 +89,7 @@ else {
 		'/^account\/character\/delete\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'delete_character'),
 		'/^account\/character\/comment\/[A-Za-z]+\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'change_comment', 'name' => '$3'),
 		'/^account\/character\/comment\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'change_comment'),
+		'/^account\/confirm_email\/[A-Za-z0-9-_]+\/?$/' => array('subtopic' => 'accountmanagement', 'action' => 'confirm_email', 'v' => '$2'),
 		'/^characters\/[A-Za-z0-9-_%+\']+$/' => array('subtopic' => 'characters', 'name' => '$1'),
 		'/^commands\/add\/?$/' => array('subtopic' => 'commands', 'action' => 'add'),
 		'/^commands\/edit\/?$/' => array('subtopic' => 'commands', 'action' => 'edit'),
@@ -135,14 +136,11 @@ else {
 			break;
 		}
 	}
-	
-	if(!$found)
-		$_REQUEST['p'] = $uri;
 }
 
 // define page visited, so it can be used within events system
 $page = isset($_REQUEST['subtopic']) ? $_REQUEST['subtopic'] : (isset($_REQUEST['p']) ? $_REQUEST['p'] : '');
-if(empty($page) || preg_match('/[^A-z0-9\/_\-]/', $page)) {
+if(empty($page) || !preg_match('/^[A-z0-9\_\-]+$/', $page)) {
 	if(!$found)
 		$page = '404';
 	else
diff --git a/system/functions.php b/system/functions.php
index 336eb598..7a5dcbb3 100644
--- a/system/functions.php
+++ b/system/functions.php
@@ -9,23 +9,25 @@
  */
 defined('MYAAC') or die('Direct access not allowed!');
 
-function success($message, $return = false) {
+function message($message, $type, $return)
+{
 	if($return)
-		return '<p class="success">' . $message . '</p>';
+		return '<p class="' . $type . '">' . $message . '</p>';
 	
-	echo '<p class="success">' . $message . '</p>';
+	echo '<p class="' . $type . '">' . $message . '</p>';
+	return true;
+}
+function success($message, $return = false) {
+	return message($message, 'success', $return);
 }
 function warning($message, $return = false) {
-	if($return)
-		return '<p class="warning">' . $message . '</p>';
-	
-	echo '<p class="warning">' . $message . '</p>';
+	return message($message, 'warning', $return);
+}
+function note($message, $return = false) {
+	return message($message, 'note', $return);
 }
 function error($message, $return = false) {
-	if($return)
-		return '<p class="error">' . $message . '</p>';
-	
-	echo '<p class="error">' . $message . '</p>';
+	return message($message, 'error', $return);
 }
 
 function longToIp($ip)
diff --git a/system/init.php b/system/init.php
index 3c748cf7..0644a58c 100644
--- a/system/init.php
+++ b/system/init.php
@@ -47,11 +47,7 @@ $function = new Twig_SimpleFunction('getStyle', function ($i) {
 $twig->addFunction($function);
 
 $function = new Twig_SimpleFunction('getLink', function ($s) {
-	global $config;
-	if($config['friendly_urls'])
-		return $s;
-	
-	return '?' . $s;
+	return getLink($s);
 });
 $twig->addFunction($function);
 
diff --git a/system/pages/account.php b/system/pages/account.php
index fbb6fb66..f7d5c135 100644
--- a/system/pages/account.php
+++ b/system/pages/account.php
@@ -1,6 +1,7 @@
 <?php
 /**
  * Account confirm mail
+ * Keept for compability
  *
  * @package   MyAAC
  * @author    Slawkens <slawkens@gmail.com>
@@ -8,17 +9,8 @@
  * @link      http://my-aac.org
  */
 defined('MYAAC') or die('Direct access not allowed!');
-$title = 'Account';
 
-if($action == 'confirm_email')
-{
-	$res = $db->query('SELECT email_hash FROM accounts WHERE email_hash = ' . $db->quote($_GET['v']));
-	if(!$res->rowCount())
-		echo '<div class="note">Your email couldn\'t be verified. Please contact staff to do it manually.</div>';
-	else
-	{
-		$db->update('accounts', array('email_verified' => '1'), array('email_hash' => $_GET['v']));
-		echo '<div class="success">You have now verified your e-mail, this will increase the security of your account. Thank you for doing this.</div>';
-	}
+if($action == 'confirm_email') {
+	require_once(PAGES . 'account/confirm_email.php');
 }
 ?>
diff --git a/system/pages/account/confirm_email.php b/system/pages/account/confirm_email.php
new file mode 100644
index 00000000..679b4448
--- /dev/null
+++ b/system/pages/account/confirm_email.php
@@ -0,0 +1,27 @@
+<?php
+/**
+ * Account confirm mail
+ *
+ * @package   MyAAC
+ * @author    Slawkens <slawkens@gmail.com>
+ * @copyright 2017 MyAAC
+ * @link      http://my-aac.org
+ */
+defined('MYAAC') or die('Direct access not allowed!');
+
+$title = 'Confirm Email';
+
+$hash = isset($_GET['v']) ? $_GET['v'] : '';
+if(empty($hash)) {
+	warning('Please enter email hash code.<br/>If you copied the link, please try again with full link.');
+	return;
+}
+
+if(!$res->rowCount()) {
+	note("Your email couldn't be verified. Please contact staff to do it manually.");
+}
+else
+{
+	success('You have now verified your e-mail, this will increase the security of your account. Thank you for doing this.');
+}
+?>
diff --git a/system/pages/accountmanagement.php b/system/pages/accountmanagement.php
index f65f3f96..2870caf4 100644
--- a/system/pages/accountmanagement.php
+++ b/system/pages/accountmanagement.php
@@ -25,6 +25,11 @@ if(!$logged)
 	}
 	else
 	{
+		if($action == 'confirm_email') {
+			require(PAGES . 'account/' . $action . '.php');
+			return;
+		}
+		
 		if(!empty($errors))
 			echo $twig->render('error_box.html.twig', array('errors' => $errors));
 		
@@ -33,8 +38,9 @@ if(!$logged)
 			'account' => USE_ACCOUNT_NAME ? 'Name' : 'Number',
 			'error' => isset($errors[0]) ? $errors[0] : null
 		));
-	return;
 	}
+
+	return;
 }
 
 $errors = array();
@@ -123,7 +129,15 @@ $errors = array();
 			'players' => $account_players
 		));
 	}
-	else if(file_exists(PAGES . 'account/' . $action . '.php')) {
-		require(PAGES . 'account/' . $action . '.php');
+	else {
+		if(!ctype_alnum(str_replace(array('-', '_'), '', $action))) {
+			error('Error: Action contains illegal characters.');
+		}
+		else if(file_exists(PAGES . 'account/' . $action . '.php')) {
+			require(PAGES . 'account/' . $action . '.php');
+		}
+		else {
+			error('This page does not exists.');
+		}
 	}
 ?>
diff --git a/system/pages/changelog.php b/system/pages/changelog.php
index 74ca38ab..362cc6fe 100644
--- a/system/pages/changelog.php
+++ b/system/pages/changelog.php
@@ -14,6 +14,7 @@ $_page = isset($_GET['page']) ? $_GET['page'] : 0;
 $id = isset($_GET['id']) ? $_GET['id'] : 0;
 $limit = 30;
 $offset = $_page * $limit;
+$next_page = false;
 ?>
 
 <br/>
diff --git a/system/pages/createaccount.php b/system/pages/createaccount.php
index 2b43b9d8..6796b924 100644
--- a/system/pages/createaccount.php
+++ b/system/pages/createaccount.php
@@ -160,7 +160,6 @@ if($save)
 			$hash = md5(generateRandomString(16, true, true) . $email);
 			$new_account->setCustomField('email_hash', $hash);
 
-			$verify_url = BASE_URL . '?p=account&action=confirm_email&v=' . $hash;
 			$server_name = $config['lua']['serverName'];
 			
 			$body_plain = $twig->render('mail.account.verify.plain.html.twig', array(
@@ -181,7 +180,8 @@ if($save)
 			}
 			else
 			{
-				echo '<br /><p class="error">An error occorred while sending email! Account not created. Try again. Error:<br/>' . $mailer->ErrorInfo . '</p>';
+				error('An error occorred while sending email! Account not created. Try again. Error:<br/>' . $mailer->ErrorInfo . '<br/>More info in system/logs/error.log');
+				log_append('error.log', '[createaccount.php] An error occorred while sending email: ' . $mailer->ErrorInfo . '. Error: ' . print_r(error_get_last(), true));
 				$new_account->delete();
 			}
 		}
@@ -200,7 +200,8 @@ if($save)
 				if(_mail($email, 'Your account on ' . $config['lua']['serverName'], $mailBody))
 					echo '<br /><small>These informations were send on email address <b>' . $email . '</b>.';
 				else
-					echo '<br /><p class="error">An error occorred while sending email (<b>' . $email . '</b>)! Error:<br/>' . $mailer->ErrorInfo . '</p>';
+					error('An error occorred while sending email (<b>' . $email . '</b>)! Error:<br/>' . $mailer->ErrorInfo . '<br/>More info in system/logs/error.log');
+					log_append('error.log', '[createaccount.php] An error occorred while sending email: ' . $mailer->ErrorInfo . '. Error: ' . print_r(error_get_last(), true));
 			}
 		}
 
diff --git a/system/pages/forum.php b/system/pages/forum.php
index e472a335..68407dd2 100644
--- a/system/pages/forum.php
+++ b/system/pages/forum.php
@@ -185,8 +185,13 @@ if(!$logged)
 	return;
 }
 
-if(file_exists(PAGES . 'forum/' . $action . '.php')) {
+if(!ctype_alnum(str_replace(array('-', '_'), '', $action))) {
+	error('Error: Action contains illegal characters.');
+}
+else if(file_exists(PAGES . 'forum/' . $action . '.php')) {
 	require(PAGES . 'forum/' . $action . '.php');
 }
-
+else {
+	error('This page does not exists.');
+}
 ?>